Next-Gen CASB Blog

From coin-flip DLP to Next-Gen CASB

One of our customers replaced a first-gen CASB with Bitglass. A few months later, they took a call from a prospective customer to speak about their experience.

The prospect asked the customer to compare their experience with Bitglass against the CASB that was replaced. Two things, said the customer (a) We got fully deployed in a couple of weeks and now secure over a dozen applications with Bitglass. (b) The administrative overhead dropped from four full-time admins to one-part time admin.

Being the only agentless CASB, we had heard from many customers that Bitglass deploys rapidly. But the second item was rather interesting. Why did this 15,000 person healthcare organization need four administrators for their first-gen CASB?

The answer was that since the first-gen CASB could not be deployed inline, it simply threw off API alerts on DLP scans of data at-rest in the cloud. And the error rate of the DLP engine was 50%, might as well flip a coin. It took four admins to chase down these alerts to determine if these DLP events were HIPAA violations that required regulatory disclosure.

Once the enterprise switched to Bitglass, Stateful DLP enforced inline ensured that data originating in trusted zones remained within trusted zones. Admin overhead fell drastically to a part-time CASB administrator. No need to chase down DLP alerts after the fact.